CVE-2025-24690 is a Local File Inclusion (LFI) vulnerability found in the Michele Giorgi Formality PHP application, affecting versions up to 1.5.7. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary local files on the server. This can lead to disclosure of sensitive files such as configuration files, source code, or credentials, and may serve as a stepping stone for remote code execution if combined with other vulnerabilities or misconfigurations. The issue is categorized as 'Improper Control of Filename for Include/Require Statement' and is a common PHP security flaw when user input is not properly sanitized or validated before being used in file inclusion functions. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and documented in the CVE database. The lack of an official patch at the time of publication means that affected users must rely on temporary mitigations. The vulnerability affects the Formality product, which is a PHP-based form management system developed by Michele Giorgi, used in various web applications. The vulnerability was reserved in January 2025 and published in March 2025, indicating recent discovery and disclosure. No CVSS score has been assigned yet, but the nature of the vulnerability suggests a significant risk due to the potential for sensitive data exposure and further exploitation.

The impact of CVE-2025-24690 can be substantial for organizations using the affected Formality versions. Successful exploitation allows attackers to read arbitrary files on the server, potentially exposing sensitive information such as database credentials, configuration files, or user data. This can lead to data breaches, loss of confidentiality, and compromise of the affected system. In some scenarios, attackers may leverage the LFI vulnerability to execute arbitrary code remotely, especially if combined with other vulnerabilities or if the server environment is misconfigured. This could result in full system compromise, unauthorized access, and disruption of services. Organizations relying on Formality for critical web forms or data collection may face operational disruptions and reputational damage. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. The vulnerability affects the integrity and confidentiality of systems and data, and potentially availability if exploited for denial-of-service or system takeover.

To mitigate CVE-2025-24690, organizations should first monitor for and apply any official patches or updates released by Michele Giorgi for Formality as soon as they become available. In the absence of patches, immediate steps include implementing strict input validation and sanitization on all user-supplied data used in include or require statements to prevent manipulation of file paths. Employ whitelisting of allowed files or directories for inclusion rather than relying on user input directly. Configure the PHP environment to disable dangerous functions such as allow_url_include and restrict file system permissions to limit access to sensitive files. Use web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities. Conduct thorough code reviews and security testing to identify and remediate similar vulnerabilities. Additionally, consider isolating the Formality application in a restricted environment or container to limit the blast radius of potential exploitation. Regularly back up critical data and monitor logs for unusual access patterns indicative of exploitation attempts.